aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* [PATCH] ipw2200: switch to the new ipw2200-fw-3.0 image formatJames Ketrenos2006-03-17
| | | | | | | | | | | | | | | | | | | | | | | This patch modifies the driver to support the ipw2200-fw-3.0 image format. The 3.0 fw image does not add any new capabilities, but as a result of image format changes, it should fix two problems experienced by users: 1) Race conditions with the request_firmware interface and udev/hotplug are improved as only a single request_firmware call is now required to load the firmware and microcode (vs. 3 separate calls previously) 2) The monitor mode firmware (sniffer) is now packaged with the correct boot image so it can now function without frequent restarts. Note: Once you apply this patch, you will also need to upgrade your firmware image to the 3.0 version available from: http://ipw2200.sf.net/firmware.php Signed-off-by: James Ketrenos <jketreno@linux.intel.com> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: wireless extension sensitivity threshold supportOlivier Hochreutiner2006-03-17
| | | | | | | | | | The patch allows the user to set the handover threshold, i.e. the number of consecutively missed beacons that will trigger a roaming attempt. The disassociation threshold is set to 3 times the handover threshold. Signed-off-by: Olivier Hochreutiner <olivier.hochreutiner@epfl.ch> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: Enables the "slow diversity" algorithmCahill, Ben M2006-03-17
| | | | | | | | | | This forces one antenna or the other, if the background noise is significantly quieter in one than the other. It favors the quieter antenna, and won't kick in unless the difference is significant. Signed-off-by: Cahill, Ben M <ben.m.cahill@intel.com> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: Set a meaningful silence threshold valueCahill, Ben M2006-03-17
| | | | | | | | | | | | | | Set a meaningful silence threshold value (replacing our previous "0" default), which gets rid of the gratuitous "Link deterioration" notifications that we've been receiving from firmware. This notification feature tells the driver information to help it determine when to pre-emptively restart the firmware/ucode in anticipation of firmware errors! But since setting this new threshold, I haven't seen any such notifications. At least it keeps the logs a little less busy. Signed-off-by: Cahill, Ben M <ben.m.cahill@intel.com> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: export `debug' module param only if CONFIG_IPW2200_DEBUGZhu Yi2006-03-17
| | | | | Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: Change debug level for firmware error loggingZhu Yi2006-03-17
| | | | | Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: Filter unsupported channels out in ad-hoc modeZhu Yi2006-03-17
| | | | | | | | | | Currently iwlist ethX freq[uency]/channel lists all the channels the card supported for the current region, which includes some channels can only be used in infrastructure mode. This patch filters these channels out if the card is currently in ad-hoc mode. Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: Fix ipw_sw_reset() implementation inconsistent with commentZhu Yi2006-03-17
| | | | | Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: Fix rf_kill is activated after mode change with 'disable=1'Zhu Yi2006-03-17
| | | | | | | | | | When loading the ipw2200 module with disabled=1, rf_kill is activated after every mode change. This is caused by ipw_sw_reset() is called when a mode is changed. The patch fixed the problem by distinguishing the purposes with the 'option' paramenter. Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: remove the WPA card associates to non-WPA AP checkingZhu Yi2006-03-17
| | | | | | | | | | | | wpa_supplicant needs to set wpa_enabled unconditionally, with this check it hasn't been possible to connect to non-WPA networks using wpa_supplicant. So remove below check. if (priv->ieee->wpa_enabled && network->wpa_ie_len == 0 && network->rsn_ie_len == 0) Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: Add signal level to iwlist scan outputBill Moss2006-03-17
| | | | | | | | | | | This patch does two things. It uses the parameter IW_QUAL_DBM which is new in WE-19 to cause signal level and noise to be reported in dBm by the wireless tools. It also defines the signal level as an unsigned integer so that the signal level will be reported by iwlist iface scan. Signed-off-by: Bill Moss <bmoss@clemson.edu> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: use generic ieee80211_get_hdrlen() to get packet lengthZhu Yi2006-03-17
| | | | | | | | replace ipw2200 specific frame_hdr_len() with generic ieee80211 routine ieee80211_get_hdrlen() Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: fix a potential NULL pointer dereferenceZhu Yi2006-03-17
| | | | | | | Only on CONFIG_IPW2200_DEBUG is not defined Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: stop netdev queue if h/w doesn't have space for new packetsJames Ketrenos2006-03-17
| | | | | | | | | | | | | | | | | | | | | | | The patch roll back the change we made to support for the ability to start/stop independent Tx queues within a single net device in order to support 802.11e QoS. We need to be able to indicate to the upper layers that packets of a given priority can not be sent any more without halting transmission of all packets, and without rescheduling high priority packets down to the next priority level. So we return NETDEV_TX_BUSY in this case and rely on the stack would take care of rescheduling... which it apparently does immediately and consumes the CPU. This caused the ksoftirqd kernel thread consuming almost all the CPU... To put the code back to the way it was before we made these changes we put the call netif_queue_stop back in ipw_tx_skb. This effectively disables multiple priority based transmit queues for 802.11e, but given that its broken anyway... Signed-off-by: James Ketrenos <jketreno@linux.intel.com> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] ipw2200: print geography code upon module loadHenrik Brix Andersen2006-03-17
| | | | | | | | | | | | | Given the amount of support requests for the meaning of the geography code I've written a patch for printing this information on module load no matter the debug level. I've also added a section to the README.ipw2200 file listing the geography codes and their meaning. Signed-off-by: Henrik Brix Andersen <brix@gentoo.org> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] drivers/net/wireless/ipw2200.c: make ipw_qos_current_mode() staticAdrian Bunk2006-03-17
| | | | | | | | This patch makes the needlessly global function ipw_qos_current_mode() static. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* [PATCH] Remove duplicated code from ipw2200.cLarry Finger2006-03-17
| | | | | | | | | | | | As stated in a comment, the ipw2200 driver uses several routines that were borrowed from ieee80211_geo.c. As ipw2200 requires ieee80211, these routines are duplicated. The attached patch, which is sent as an attachment to preserve whitespace, converts ipw2200.c to use the ieee80211 versions, thereby reducing bloat in both the source and binary. Signed-Off-By: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* Merge branch 'upstream-fixes'John W. Linville2006-03-15
|\
| * [PATCH] ieee80211: Fix QoS is not active problemHong Liu2006-03-15
| | | | | | | | | | | | | | | | | | | | | | | | Fix QoS is not active even the network and the card is QOS enabled. The problem is we pass the wrong ieee80211_network address to ipw_handle_beacon/ipw_handle_probe_response, thus the ieee80211_network->qos_data.active will not be set, causing the driver not sending QoS frames at all. Signed-off-by: Hong Liu <hong.liu@intel.com> Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * [PATCH] ieee80211: Fix CCMP decryption problem when QoS is enabledZhu Yi2006-03-15
| | | | | | | | | | | | | | Use the correct STYPE for Qos data. Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * [PATCH] fs/namespace.c:dup_namespace(): fix a use after freeAdrian Bunk2006-03-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Coverity checker spotted the following bug in dup_namespace(): <-- snip --> if (!new_ns->root) { up_write(&namespace_sem); kfree(new_ns); goto out; } ... out: return new_ns; <-- snip --> Callers expect a non-NULL result to not be freed. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * [PATCH] Consistent capabilites associated with MPOL_MOVE_ALLChristoph Lameter2006-03-15
| | | | | | | | | | | | | | | | | | | | | | | | | | It seems that setting scheduling policy and priorities is also the kind of thing that might be performed in apps that also use the NUMA API, so it would seem consistent to use CAP_SYS_NICE for NUMA also. So use CAP_SYS_NICE for controlling migration permissions. Signed-off-by: Christoph Lameter <clameter@sgi.com> Cc: Michael Kerrisk <mtk-manpages@gmx.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * [PATCH] Page migration documentation updateChristoph Lameter2006-03-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update the documentation for page migration. - Fix up bits and pieces in cpusets.txt - Rework text in vm/page-migration to be clearer and reflect the final version of page migration in 2.6.16. Mention Andi Kleen's numactl package that contains user space tools for page migration via libnuma. Add reference to numa_maps and to the manpage in numactl. - Add todo list for outstanding issues Signed-off-by: Christoph Lameter <clameter@sgi.com> Acked-by: Paul Jackson <pj@sgi.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * [PATCH] page migration: fail if page is in a vma flagged VM_LOCKEDChristoph Lameter2006-03-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | page migration currently simply retries a couple of times if try_to_unmap() fails without inspecting the return code. However, SWAP_FAIL indicates that the page is in a vma that has the VM_LOCKED flag set (if ignore_refs ==1). We can check for that return code and avoid retrying the migration. migrate_page_remove_references() now needs to return a reason why the failure occured. So switch migrate_page_remove_references to use -Exx style error messages. Signed-off-by: Christoph Lameter <clameter@sgi.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * [PATCH] "s390: multiple subchannel sets support" fixGreg Smith2006-03-15
| | | | | | | | | | | | | | | | | | | | | | It seems this patch got dropped (it was in addition to the `s390: improve response code handling in chsc_enable_facility()' patch). Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * Merge git://oss.sgi.com:8090/oss/git/rc-fixesLinus Torvalds2006-03-14
| |\ | | | | | | | | | | | | * git://oss.sgi.com:8090/oss/git/rc-fixes: Fix a direct I/O locking issue revealed by the new mutex code.
| | * Fix a direct I/O locking issue revealed by the new mutex code.Nathan Scott2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Affects only XFS (i.e. DIO_OWN_LOCKING case) - currently it is not possible to get i_mutex locking correct when using DIO_OWN direct I/O locking in a filesystem due to indeterminism in the possible return code/lock/unlock combinations. This can cause a direct read to attempt a double i_mutex unlock inside XFS. We're now ensuring __blockdev_direct_IO always exits with the inode i_mutex (still) held for a direct reader. Tested with the three different locking modes (via direct block device access, ext3 and XFS) - both reading and writing; cannot find any regressions resulting from this change, and it clearly fixes the mutex_unlock warning originally reported here: http://marc.theaimsgroup.com/?l=linux-kernel&m=114189068126253&w=2 Signed-off-by: Nathan Scott <nathans@sgi.com> Acked-by: Christoph Hellwig <hch@lst.de>
| * | [PATCH] JFS: Take logsync lock before testing mp->lsnDave Kleikamp2006-03-14
| | | | | | | | | | | | | | | | | | | | | This fixes a race where lsn could be cleared before taking the lock Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | Merge master.kernel.org:/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6Linus Torvalds2006-03-14
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: [SCSI] zfcp: fix device registration issues [SCSI] scsi_transport_fc: fix FC_HOST_NUM_ATTRS [SCSI] scsi: aha152x pcmcia driver needs spi transport [SCSI] zfcp: correctly set this_id for hosts [SCSI] Add Brownie to blacklist
| | * | [SCSI] zfcp: fix device registration issuesAndreas Herrmann2006-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The patch fixes following issues: (1) Replace scsi_add_device with scsi_scan_target. (Thus the rport instead of the scsi_host becomes parent of a scsi_target again.) (2) Avoid scsi_device allocation during registration of an remote port. (Would be done during fc_scsi_scan_rport.) (3) Fix queuecommand behaviour when an zfcp unit is blocked. (Call scsi_done with DID_NO_CONNECT instead of returning SCSI_MLQUEUE_DEVICE_BUSY otherwise we might end up waiting for completion in blk_execute_rq for ever.) Signed-off-by: Andreas Herrmann <aherrman@de.ibm.com> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
| | * | [SCSI] scsi_transport_fc: fix FC_HOST_NUM_ATTRSAndreas Herrmann2006-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the past I added an host attribute but unfortunately I forgot to increase FC_HOST_NUM_ATTRS. This is fixed with the patch. Otherwise an fibre channel lld might run into BUG_ON(count > FC_HOST_NUM_ATTRS); in fc_attach_transport(). Signed-off-by: Andreas Herrmann <aherrman@de.ibm.com> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
| | * | [SCSI] scsi: aha152x pcmcia driver needs spi transportDominik Brodowski2006-03-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | AHA152X PCMCIA module needs spi_print_msg. Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
| | * | [SCSI] zfcp: correctly set this_id for hostsAndreas Herrmann2006-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It fixes a bug in zfcp which provokes a race in scsi_scan.c. Finally this can lead to an Oops like: kernel BUG at fs/sysfs/symlink.c:87! Correctly set this_id for the host. Otherwise we provoke a race between scsi_target_reap_work and concurrent scsi_add_device. Signed-off-by: Andreas Herrmann <aherrman@de.ibm.com> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
| | * | [SCSI] Add Brownie to blacklistMatthew Wilcox2006-03-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This device spews total rubbish to a REPORT LUNS command, so avoid sending it one. Signed-off-by: Matthew Wilcox <matthew@wil.cx> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
| * | | [PATCH] Plug kdump shutdown race windowManeesh Soni2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | lapic_shutdown() re-enables interrupts which is un-desirable for panic case, so use local_irq_save() and local_irq_restore() to keep the irqs disabled for kexec on panic case, and close a possible race window while kdump shutdown as shown in this stack trace -- BUG: spinlock lockup on CPU#1, bash/4396, c52781a0 [<c01c1870>] _raw_spin_lock+0xb7/0xd2 [<c029e148>] _spin_lock+0x6/0x8 [<c011b33f>] scheduler_tick+0xe7/0x328 [<c0128a7c>] update_process_times+0x51/0x5d [<c0114592>] smp_apic_timer_interrupt+0x4f/0x58 [<c01141ff>] lapic_shutdown+0x76/0x7e [<c0104d7c>] apic_timer_interrupt+0x1c/0x30 [<c01141ff>] lapic_shutdown+0x76/0x7e [<c0116659>] machine_crash_shutdown+0x83/0xaa [<c013cc36>] crash_kexec+0xc1/0xe3 [<c029e148>] _spin_lock+0x6/0x8 [<c013cc22>] crash_kexec+0xad/0xe3 [<c0215280>] __handle_sysrq+0x84/0xfd [<c018d937>] write_sysrq_trigger+0x2c/0x35 [<c015e47b>] vfs_write+0xa2/0x13b [<c015ea73>] sys_write+0x3b/0x64 [<c0103c69>] syscall_call+0x7/0xb Signed-off-by: Maneesh Soni <maneesh@in.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | Revert "[PATCH] x86-64: Fix up handling of non canonical user RIPs"Linus Torvalds2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit c33d4568aca9028a22857f94f5e0850012b6444b. Andrew Clayton and Hugh Dickins report that it's broken for them and causes strange page table and slab corruption, and spontaneous reboots. Let's get it right next time. Cc: Andrew Clayton <andrew@rootshell.co.uk> Cc: Hugh Dickins <hugh@veritas.com> Cc: Andi Kleen <ak@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] EDAC: disable sysfs interfaceDave Peterson2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Disable the EDAC sysfs code. The sysfs interface that EDAC presents to user space needs more thought, and is likely to change substantially. Therefore disable it for now so users don't start depending on it in its current form. - Disable the default behavior of calling panic() when an uncorrectible error is detected (since for now, there is no sysfs interface that allows the user to configure this behavior). Signed-off-by: David S. Peterson <dsp@llnl.gov> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] NLM: Ensure we do not Oops in the case of an unlockTrond Myklebust2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In theory, NLM specs assure us that the server will only reply LCK_GRANTED or LCK_DENIED_GRACE_PERIOD to our NLM_UNLOCK request. In practice, we should not assume this to be the case, and the code will currently Oops if we do. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] SUNRPC: Fix potential deadlock in RPC codeTrond Myklebust2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In rpc_wake_up() and rpc_wake_up_status(), it is possible for the call to __rpc_wake_up_task() to fail if another thread happens to be calling rpc_wake_up_task() on the same rpc_task. Problem noticed by Bruno Faccini. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] NFSv4: fix mount segfault on errors returned that are < -1000Trond Myklebust2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It turns out that nfs4_proc_get_root() may return raw NFSv4 errors instead of mapping them to kernel errors. Problem spotted by Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] SUNRPC: fix a NULL pointer dereference in net/sunrpc/clnt.cAdrian Bunk2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Coverity checker spotted this possible NULL pointer dereference in rpc_new_client(). Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] NFS: Fix a potential panic in O_DIRECTTrond Myklebust2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on an original patch by Mike O'Connor and Greg Banks of SGI. Mike states: A normal user can panic an NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT. Any O_DIRECT write to an NFS file where the user buffer starts with a valid mapped page and contains an unmapped page, will crash in this way. I haven't followed the code, but O_DIRECT reads with similar user buffers will probably also crash albeit in different ways. Details: when nfs_get_user_pages() calls get_user_pages(), it detects and correctly handles get_user_pages() returning an error, which happens if the first page covered by the user buffer's address range is unmapped. However, if the first page is mapped but some subsequent page isn't, get_user_pages() will return a positive number which is less than the number of pages requested (this behaviour is sort of analagous to a short write() call and appears to be intentional). nfs_get_user_pages() doesn't detect this and hands off the array of pages (whose last few elements are random rubbish from the newly allocated array memory) to it's caller, whence they go to nfs_direct_write_seg(), which then totally ignores the nr_pages it's given, and calculates its own idea of how many pages are in the array from the user buffer length. Needless to say, when it comes to transmit those uninitialised page* pointers, we see a crash in the network stack. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] Fix sigaltstack corruption among cloned threadsGOTO Masanori2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes alternate signal stack corruption among cloned threads with CLONE_SIGHAND (and CLONE_VM) for linux-2.6.16-rc6. The value of alternate signal stack is currently inherited after a call of clone(... CLONE_SIGHAND | CLONE_VM). But if sigaltstack is set by a parent thread, and then if multiple cloned child threads (+ parent threads) call signal handler at the same time, some threads may be conflicted - because they share to use the same alternative signal stack region. Finally they get sigsegv. It's an undesirable race condition. Note that child threads created from NPTL pthread_create() also hit this conflict when the parent thread uses sigaltstack, without my patch. To fix this problem, this patch clears the child threads' sigaltstack information like exec(). This behavior follows the SUSv3 specification. In SUSv3, pthread_create() says "The alternate stack shall not be inherited (when new threads are initialized)". It means that sigaltstack should be cleared when sigaltstack memory space is shared by cloned threads with CLONE_SIGHAND. Note that I chose "if (clone_flags & CLONE_SIGHAND)" line because: - If clone_flags line is not existed, fork() does not inherit sigaltstack. - CLONE_VM is another choice, but vfork() does not inherit sigaltstack. - CLONE_SIGHAND implies CLONE_VM, and it looks suitable. - CLONE_THREAD is another candidate, and includes CLONE_SIGHAND + CLONE_VM, but this flag has a bit different semantics. I decided to use CLONE_SIGHAND. [ Changed to test for CLONE_VM && !CLONE_VFORK after discussion --Linus ] Signed-off-by: GOTO Masanori <gotom@sanori.org> Cc: Roland McGrath <roland@redhat.com> Cc: Ingo Molnar <mingo@elte.hu> Acked-by: Linus Torvalds <torvalds@osdl.org> Cc: Ulrich Drepper <drepper@redhat.com> Cc: Jakub Jelinek <jakub@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] macintosh: correct AC Power info in /proc/pmu/infoBenjamin Herrenschmidt2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Report AC Power present in /proc/pmu/info if there is no battery. Signed-off-by: Olaf Hering <olh@suse.de> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>, Cc: Paul Mackerras <paulus@samba.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] Restore tuning capabilities in V4L2 MXB driverMichael Hunold2006-03-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The behaviour of the all-in-one Video4Linux tuner driver apparently changed. It now wants to know the tv standard, otherwise it refuses to tune. Restore tuning functionality in my driver for the "Multimedia eXtension Board". The all-in-one tuner driver apparently changed its behaviour. Signed-off-by: Michael Hunold <hunold@linuxtv.org> Cc: Mauro Carvalho Chehab <mchehab@infradead.org> Cc: Johannes Stezenbach <js@linuxtv.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | | [PATCH] mtd_dataflash, fix block vs page eraseDavid Brownell2006-03-14
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a bug in the block-erase optimization for Dataflash; it was using block erase even for smaller segments that need page erase. That wouldn't matter for JFFS2, which never erases less than one block (sometimes several blocks), but for other callers it might. Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Acked-by: David Woodhouse <dwmw2@infradead.org> Acked-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | [TCP]: Fix zero port problem in IPv6Herbert Xu2006-03-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | When we link a socket into the hash table, we need to make sure that we set the num/port fields so that it shows us with a non-zero port value in proc/netlink and on the wire. This code and comment is copied over from the IPv4 stack as is. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | [PATCH] x86-64: Fix up handling of non canonical user RIPsAndi Kleen2006-03-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | EM64T CPUs have somewhat weird error reporting for non canonical RIPs in SYSRET. We can't handle any exceptions there because the exception handler would end up running on the user stack which is unsafe. To avoid problems any code that might end up with a user touched pt_regs should return using int_ret_from_syscall. int_ret_from_syscall ends up using IRET, which allows safe exceptions. Cc: Ernie Petrides <petrides@redhat.com> Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| * | [NETFILTER]: arp_tables: fix NULL pointer dereferencePatrick McHardy2006-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The check is wrong and lets NULL-ptrs slip through since !IS_ERR(NULL) is true. Coverity #190 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | [IPV4/6]: Fix UFO error propagationPatrick McHardy2006-03-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When ufo_append_data fails err is uninitialized, but returned back. Strangely gcc doesn't notice it. Coverity #901 and #902 Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>